How Secure Is VPNBook?

What is VPNBook

VPNBook is a free VPN that's packed with some great surprises. Although the service doesn’t have its own app and lacks a large number server locations, it's very good at getting into video streaming services. So, if you just want a VPN to get into Netflix USA, this could very well be the one for you!

The company is based in Switzerland, with its customer support department located in Zurich. Switzerland is a good location for a VPN because it is legal to download copyrighted material there without paying as long as it is for personal viewing only. That said, the service does have restrictions on P2P downloading.

PROS

Free (advertising-supported) service

Third-party OpenVPN app for Windows, OS X, iOS, Android, and Linux

Option to use UPD or TCP

Enhanced privacy

Good speeds

CONS

Small server network

Connection logs kept for one week

VPNBook Features

The features of the company's package are:

Servers in four countries

Completely free

No activity logs

P2P allowed on two servers

No data throughput limits

Multi-lingual interface

A big problem for Brits abroad is that the VPN doesn't have any servers in the UK. The servers that are available are located in Manassas in Virginia, Montreal in Canada, Frankfurt in Germany and Bucharest in Romania.

The company doesn't use its own app, but relies on users downloading OpenVPN GUI. This is a free piece of software provided by the organization that administers the OpenVPN standard. One problem with this interface is that it requires you to enter a username and password every time you connect to a server.

Is VPNBook Secure?

VPNBook offers PPTP for manual setup and OpenVPN via the OpenVPN GUI interface. The OpenVPN implementation uses AES encryption with a 128-bit key. Most VPNs use a 256-bit key for their AES encryption. Those that advocate 128-bit keys explain that the encryption has never been cracked with a 128-bit key. As such, there is little point creating lots of extra work when this encryption provides sufficient protection.

AES is a symmetrical key system. This means that the same key is used to encrypt and decrypt messages. That signifies that both sides of the connection need to have the same key. In OpenVPN implementations, it is standard to use RSA encryption to protect the distribution of those keys.

Most VPNs use a 2048-bit key for their RSA encryption and the top VPN companies in the world have started using a 4096-bit key. So, VPNBook is a little behind the pack in this respect.

Although it is not particularly a bad thing that VPNBook relies on the free OpenVPN GUI program for its interface, the lack of a custom app means that the company was unable to build in extra safety measures that are common among VPN services. The main security feature that should be added to the interface is a kill switch to prevent apps from accessing the internet without the VPN being active on the line. Another useful security measure that other VPNs include is automatic WiFi protection, which VPNBook doesn't have.

Does VPNBook keep logs?

The company states that it does not keep activity logs. Unfortunately, it does keep connection logs, which include an IP address and timestamps. This information is all that copyright lawyers would need to trace your activity through to your door. The company keeps those connection logs for one week and despite their honorable intentions, they would have to hand those records over if they were presented with a court order.

Anonymous have accused VPNBook of being a honeypot, set up by the US authorities to trap transgressors. This is because records of connections through VPNBook turned up in the trial of a number of that organization's members. However, it could just be bad luck that the authorities managed to get in a court order for records during the week that VPNBook retains its connection logs.

Is VPNBook fast?

The speed tests of the VPNBook service were conducted while using the company's OpenVPN implementation, using UDP over port 53. In each case, five test runs were performed with testmy.net from a location in the Caribbean. Connections to the USA were made to a server in Miami and the Germany tests went to a server in Frankfurt.

I used IPLocation.net to test the actual location of the VPNBook servers that I accessed. The US1 server was unavailable, and so tests on connections to the USA ran without a VPN and then through connections to the VPNBook US2 and Canada servers. Transatlantic tests ran through the VPNBook server in Frankfurt-am-Main.

Graphs show highest, lowest and average speeds for each server and location. See our full speed test explanation for more detail.

When using a VPN to get into overseas video streaming services, you need to be sure that the VPN doesn't slow down the connection so much that it is too slow to watch streaming video comfortably. You need about 2 Mbps to watch SD video and 3 Mbps for HD video.

As you can see from the results, the US server slowed down the connection to below the necessary speeds for streaming video. However, I was able to watch videos from US sites - they just took a long time to load. The local internet speeds were not very fast, and so if you are in a location with slightly better underlying internet, then the impairment of VPNBook would not make it impossible to watch streaming video from the US.

The download speeds through the Canadian server were much better and would make it possible to watch SD video over the internet. However, the upload speeds on the same connection were inexplicably slow. I disconnected and reconnected several times and tested the speed of the unprotected line again each time to make sure that this performance was not due to faults with the underlying internet service. However, these slow upload speeds occurred every time when I was connected to the VPNBook Canadian server and not on the unprotected line.

More tests were performed with ipleak.net while I was connected to the VPNBook server US2, to check DNS leaks and the WebRTC bug. This site reported my location as Manassas, Virginia and all of the DNS servers that the test site recorded were in the United States. So, VPNBook successfully hid my identity.

While still connected to the US2 server, I accessed the test site doileak.net which also detected my location as being in the United States. This test site could find no WebRTC inconsistencies or DNS leaks.

My internet service provider does not use IPv6 addresses and so I was unable to test for IPv6 leaks.

Conclusion

VPNBook is not perfect, but its ability to get into Netflix USA is a remarkable achievement that puts this service ahead of a lot of very expensive VPNs.

It would be nice if the company could design its own app and include a kill switch and automatic WiFi protection. It would also be nice if they could make a UK server available. Stronger encryption for both RSA and AES would be a good idea if the company wants to attract users from China and the Middle East.

The company is very open about its retention of connection logs for a week. It would be good if they could find a way to monitor their systems without having to keep these logs. It is also good that the company makes it clear on the website which servers can be used for P2P downloading and which cannot.